How severe is CVE-2021-32790?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.9 out of 10.

What type of vulnerability is CVE-2021-32790?

This is classified as CWE-89, which is a common weakness in software security.

CVE-2021-32790 - MEDIUM Severity | CVSS 4.9

Vulnerability Description

Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.

Related Vulnerabilities

CVE-2017-14600

MEDIUM

CVSS:4.9(Medium)

Pragyan CMS v3.0 is vulnerable to an Error-Based SQL injection in cms/admin.lib.php via $_GET['del_black'], resulting in Information Disclosure.

CWE-892017

CVE-2017-14601

MEDIUM

CVSS:4.9(Medium)

Pragyan CMS v3.0 is vulnerable to a Boolean-based SQL injection in cms/admin.lib.php via $_GET['forwhat'], resulting in Information Disclosure.

CWE-892017

CVE-2017-17822

MEDIUM

CVSS:4.9(Medium)

The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQ...

CWE-892017

CVE-2017-17823

MEDIUM

CVSS:4.9(Medium)

The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connec...

CWE-892017

CVE-2017-17824

MEDIUM

CVSS:4.9(Medium)

The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the d...

CWE-892017

CVE-2017-3886

MEDIUM

CVSS:4.9(Medium)

A vulnerability in the Cisco Unified Communications Manager web interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, ...

CWE-892017